AT&T Defends iPad Email Address Hack

Thanks to a hole in AT&T's security, a group of hackers-for-hire called Goatse Security (tagline: "gaping holes exposed." If you don't get it, please do not investigate. For your own sake) was able to snag the email addresses of over 114,000 iPad 3G users. That list included illustrious members of the United States government and military, as well as prominent journalists and business leaders.

The hack aroused lots of outrage, even though realistically it's a fairly minor problem—the only data gained were those email addresses, and those give no direct means of gaining access to a user's system. But it's still a security breach, and AT&T was forced to explain. Not so surprisingly, AT&T laid the blame heavily on Goatse Security.

On June 7 we learned that unauthorized computer "hackers" maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

Some of those claims are true—Goatse Security is, realistically, a loose-knit group of hackers, and the method described therein is fairly accurate—but the implication is a little suspect. Not only does AT&T refuse to apologize for leaving customer information so easily available, they threaten to prosecute (along
with the FBI, possibly) Goatse Security for the hack.

That part gets a little iffy. At first, in the original Gawker expose, Goatse Security claimed to have contacted AT&T about the security hole. AT&T says that is not the case, and in this CNET interview, a member of the Goatse team says the team merely ascertained that the hole was closed before offering the story to Gawker—they don't seem to have made much of an effort to contact AT&T. But that interview also makes it fairly clear that the group did not "distribute it [the list of email addresses] for their own publicity," and took pains not to reveal the flaw publicly until the network was no longer vulnerable.

Goatse methods and professionalism are murky, as can be expected from a group of hackers—and may or may not have broken the law here. But AT&T neglects to mention that this "hack" takes advantage of their own glaring security hole. The letter does not apologize for that screwup, and instead places the blame on the whistleblower.

Dan Nosowitz, the author of this post, can be followed on Twitter, corresponded with via email, and stalked in San Francisco (no link for that one—you'll have to do the legwork yourself).